Skip to content

feat: remove sandbox attribute from iframe #1422

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
JosefBredereck merged 1 commit into from
Feb 2, 2022
Merged

feat: remove sandbox attribute from iframe #1422

JosefBredereck merged 1 commit into from
Feb 2, 2022

Conversation

@eWert-Online
Copy link
Contributor

@eWert-Online eWert-Online commented Feb 1, 2022

Closes #1414

Summary of changes:
This removes the sandbox attribute from the iframe.
As @mfranzke pointed out: Based on the following statement, the attribute is kind of pseudo security

When the embedded document has the same origin as the embedding page, it is strongly discouraged to use both allow-scripts and allow-same-origin, as that lets the embedded document remove the sandbox attribute — making it no more secure than not using the sandbox attribute at all.

@JosefBredereck JosefBredereck merged commit 4335660 into pattern-lab:dev Feb 2, 2022
antonia-rose pushed a commit to quelltexterin/nemo-uikit-workshop that referenced this pull request Apr 12, 2023
@eWert-Online
feat: remove sandbox attribute from iframe (pattern-lab#1422)
8bf0f1e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JosefBredereck JosefBredereck JosefBredereck approved these changes

@sghoweri sghoweri Awaiting requested review from sghoweri sghoweri is a code owner

Assignees

No one assigned

Labels

fix / refactor 🚧 released 🚀 uikit

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add allow-downloads to iframe sandbox options

3 participants

@eWert-Online @JosefBredereck @mfranzke